New EU Rules for Cyber Security

Tuesday, December 8, 2015 @ 04:12 PM gHale

Transport and energy companies will have to ensure the digital infrastructure they use to deliver essential services is robust enough to withstand cyber attacks, under new rules provisionally agreed by internal market MEPs and the Luxembourg Presidency of the EU Council of Ministers.

“Today, a milestone has been achieved: We have agreed on first ever EU-wide cyber security rules, which the Parliament has advocated for years,” said Parliament’s rapporteur Andreas Schwab (EPP, DE), after the Monday deal.

Virtualization: Benefits, Challenges
Bridging IT and OT
IT Getting an OT Education
Stuxnet Loaded by Iran Double Agents

“Parliament has pushed hard for a harmonized identification of critical operators in energy, transport, health or banking fields, which will have to fulfill security measures and notify significant cyber incidents. Member states will have to cooperate more on cyber security – which is even more important in light of the current security situation in Europe.”

“Moreover this directive marks the beginning of platform regulation. Whilst the Commission’s consultation on online platforms is still on-going, the new rules already foresee concrete definitions – a request that Parliament had made since the beginning in order to give its consent to the inclusion of digital services,” he said.

MEPs put an end to current fragmentation of 28 cyber security systems by listing sectors — energy, transport, banking, financial market, health and water supply — in which critical service companies will have to ensure they are robust enough to resist cyber-attacks. These companies must also be ready to report serious security breaches to public authorities.

Member states will have to identify concrete “operators of essential services” from these sectors using certain criteria: Whether the service is critical for society and the economy, whether it depends on network and information systems and whether an incident could have significant disruptive effects on its provision or public safety.

In addition, some Internet services providers, such as online marketplaces (e.g. eBay, Amazon), search engines (e.g. Google) and clouds, will also have to ensure the safety of their infrastructure and to report on major incidents. Micro and small digital companies will get an exemption, the deal said.

To ensure a high level of security across the EU and to develop trust and confidence among member states, the draft rules sets up a strategic cooperation group to exchange information and best practices, draw up guidelines and assist member states in cyber security capacity building.

In addition, a network of Computer Security Incidents Response Teams (CSIRTs), set up by each member state to handle incidents, will end up established to discuss cross border security incidents and identify coordinated responses.